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I. INTRODUCTION 

This ADP System Security Plan describes the security measures in effect for 
Phase I of the Advanced Image Processing and Recording Laboratory (AIPRL) net- 
work located on the first (ground) floor of Building 2, at the Eastman Kodak 
Company, Hawk Eye Plant, 20 Avenue E, Rochester, NY. 14650. The components 
for the Phase I network, residing within the AIPRL are: a "VAX Cluster” con- 
sisting of the Image Display Station 1 (IDS-1), VAX 11/785, and Image Display 
Station 2 (IDS-2), VAX 8600 Systems, DEC ETHERNET Package, DECNET Package, and 
the APTEC-1 and APTEC-2 I/O computers (I0C's). 


The IDS-1 (VAX 11/785) is located in Room 2-1-2, with image display stations 


and terminals located in Rooms 2-1-1, 2-1-3, and 2-1-4 of Building 2. These -- 


four rooms measure a total of 37 feet by 13 feet (See Figure 1). 


The IDS-2 (VAX 8600) is located in Room 2-1-5 of Building 2. This room mea- 
sures 46 feet by 38 feet (See Figure 1). Terminals for the IDS-2 are located 
in Room 2-1-1 of Building 2 (See Figure 1). Also residing in the AIPRL, but 
operating as separate and independent nodes are: (a) IBM 4341 (DPC) located 
in Room 2-1-5, (b) VAX 11/750 (SL) located in Room 2-1-9, and (c) MICRO VAX 
(LWD) located in Room 2-1-8 (See Figure 1). 


II. ADP SYSTEM SECURITY RESPONSIBILITY 

As designated by the Eastman Kodak Company Byeman Industrial Facilities 
Security Control Officer (BIFSCO), Mr. Thomas H. Daniels is the ADP System 
Security Representative (ADPSSR) on a full-time basis for the AIPRL. Mr. 





Daniels reports directly to BIFSCO, and can be reached via 
telephone on (716) 436-3586 or secure 00141 (716) 436-5054. Mr. Walter K. 








Koopman is the Facility Security Representative (FSR) for Hawkeye Plant (See 


Figure 2). 
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Figure 1. IDS-1 and IDS-2 Floor Plan 
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Figure 2. ADP System Security Organization 
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SYSTEM ENVIRONMENT 
AIPRL is within a TEMPEST enclosure located on the first (ground) floor of 


Building 2 in the North quadrant of an approved SCIF within the Hawk Eye Plant 


(see Figure 3). The TEMPEST enclosure was tested to MIL-STD-285 and NSA65-2, 


and certified by Program B Message 6835 dated 19 April 1980, recertification 


of the enclosure will be in 1986. AIPRL is also approved for open-shelf stor- 


age by Program B Message 4020 dated 10 June 1983. . Program B holds security 


cognizance for the AIPRL facility 


IV. SYSTEM SECURITY 


MODE OF OPERATION 

The Phase I configuration for the two VAX nodes and associated peri- 
pherals operates in the System High Mode (for two or more NFIB men- 
bers) as defined in Paragraph V.A.2, SCIREQ 84, dated August 1984. 


The Phase I configuration processes data for more than one customer, 
and is dedicated to process NRO sponsored multi-program sensitive 
compartmented information, up to and including TOP SECRET Byeman and 
TK. Unclassified program related software development activity is 
approved for this configuration by the Contracting Officers Technical 
Representative (COTR). 


PERSONNEL ACCESS CONTROLS 
1. The Phase I configuration is accessed by approximately 130 system 
users. These users require unescorted access to the network and 


are security approved according to DCID 1/14 standards and are 


access approved for all SCI programs. 
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Figure 3. Hawk Eye Floor Plan 
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2. Need-to-know is established by the appropriate EK Project Mana- 
ger, and access must be confirmed by an appropriate indicator. on 


the individuals area badge. 


3. Except for downtime periods, there is a minimum of two cleared 
individuals present in the AIPRL’ and the rooms in which terminals 
are installed; and two individuals are required to open and close 


the AIPRL. 


4. Access to the individual rooms ‘within the AIPRL is via simplex 


locks installed at the entrance door of each room. 


5. All visitors to the AIPRL must be identified and a visitor log is 
kept in the office of the FSR. 


6. All visits by uncleared personnel must be approved on a case-by- 


case basis by the FSR, and the following actions are taken: 


a. All sensitive material is secured in an approved security 


container. 


b. An “Uncleared Visitor in Area” sign is placed on the door of 
the room being visited. 


c. A flashing colored light is placed in the corridor outside 
the room being visited. 


d. The uncleared visitor is met at the plant entrance by an 
Customer-approved individual and is kept under’ constant 


escort throughout the visit. 
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e. The uncleared visitor is escorted back to the plant entrance 


at the end of the visit. 


€. PHYSICAL SECURITY 


1. Hawk-Eye Plant: 


a. The Hawk-Eye Plant is completely surrounded by barbed-wire 
topped eight (8) foot chain link fence. 


b. Eastman Kodak Company uniformed guards are stationed at the 
three (3) plant entrances. The main entrance, only, is open 


and manned twenty-four (24) hours per day. 


2. Hawk-Eye SCIF: 


a. Entry to and egress from the SCIF is through a twenty-four 
(24) hour per day guard post manned by a minimum of two (2) 
Customer-approved, Eastman Kodak Company uniformed guards 


utilizing a color coded badge exchange system. 
3. AIPRL: 


a. Entry to and egress from the AIPRL main entrance is con- 
trolled by an electronic cypher unit. For downtime purposes, 
the AIPRL entrance is also secured with an S&G safe-master 


extension 50 locking device. 
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4. Alarms: 


a. The AIPRL doors are equipped with magnetic contact door alarm 


switches, Class "A" alarm system. 


b. An advisor VIII high security ultrasonic motion detector sys- 
tem is used for the entire AIPRL. 


NOTE: All alarms are connected to the Wells Fargo annunciator 


system located at the 24 hour guard post: (see Paragraph 


C.2.a, above). 
D. SYSTEM HARDWARE 


1. The system hardware associated with the Phase I configuration is 
listed in Figure 4 by manufacturer, model number, serial number, 
memory size, and memory type. The system configuration (func- 
tional diagram) is shown in Figure 5. The security features of 


the VAX 11/785 and VAX 8600 are: 


““=~ a, Volatile memory (i.e., no residual memory exists when power 
to units is turned off). The VAX 8600 does have a battery 


back-up, to prevent loss of data during a power outage. 


b. Memory bounds mechanism which prohibits system users from 
reading/writing in memory occupied by the Operating System or 


other system users. 
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DIGITAL CRT W/KEYBQARD v1 220 ; TA01646 

OUGITAt CRT W/KEYBOARD vT220 1A0.4334 

NIGETAL CRT W/KEYBOARD V1220 ABARI93 

NIGIT Ar CRT W/KEVBOAKO Vv1220 TA044849 

DIGITAL Cal W/K EY BOARD v1220 TAFO1LO2 
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OUGUTAr CRT W/KEYBOARD VT1L102 TAF 6219 

t TEBERT fL EC. POWER UNIT trRc30 85255A 

2-1-2 
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TRIS DISK DRIVE 14 00TF 519 
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PRINTRONICS PRINTER P300 469128 
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DIGITAL TAPE DRIVE TAT8-AF SP13236 
“RASTER TECH. ~— — OTSPLAY ORIVER ~~ 80 ~~ 7" "~ ‘RT00349 
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DIGIT AL DISK DRIVE RABI-EA Cx89420, 0 

NIGITAL CISK DRIVE RAB1-EA CX89414 

DIGITAL = OLSK ORIVE === RAGO-EA si CXOZBIF 
“pret Tat ~CISK ORIVE ~"RAGO-EA “Cx0 2623 

DIGITAL DISK DRIVE RAGO-EA | Cxo3318 
“MIGITAL —”~<“—s~—si‘i—‘“s;‘<CERR TT «SKE BOARD —C[hCUVT2200¢0€«C CCC’ EA378490 0° 

OIGITAL SYSTEM PRINTER LAL00 ___PN59395 ee ee 

MB) fm Sead ate Soh eer a eit Ae Re Ae 8 Ae Se te Mt 

CONRAC MONITOR (Bow) QQA1LT/Y $23134 
“CONRAC | —”~——:CO MN ORR RI 7 8LICTI™ SC 85:10332° 

OTGITAL : CRT W/KEYBOARD VT 220 TAF 6147 epaenct.! 

STERQGRAPHICS MONITOR (B8EW) aS ae ane . 
DUNN/TEKTRONIX CAMERA SYSTEM 631. _ 253, 





an AREAS 22 1s6 £ 2-4-8 CONTINUED.JON NEXT PAGE 


Figure 4. System Hardware 
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MANUFACTURER CESCAIPTION MOUDEL @ 
2-1-4 
AMTRON GOLLO MONITIR C01909-2 
Can GOULD MONITOR 961T/C 
METSUBICHE GOULN MGNETAR M6950 
METSIBICHS GOULO MONITUR M6950. 
sanNy GUULO MONTTOR GRML9OL-12 
TEKTRONICK RASTER DISPLAY 634 
NIG AL CRT W/KEY BOARD vT220 
DIGH Tat CRT W/KEYROARD VT 220 
OIGITAL CRT W/KEYBOARD vT102 
a-1-8 
FUKANIX CIGITIZER 785 
DIGITAL CRT W/KEYBOARD vT240 
VAX - #600 COUIPMENT LIST 
MANUFACTURER CeESCRIPT TUN MUNDELL @ 
Natal ceu KAHO-AA 
NEG Al CPU-FROWT FND CAB. KA36-AA 
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2 URIS lu DESK ORIVE | _._ 1490. 
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DIGITAL TAPE DRIVE TA78-BF 
OIGITAL TAPE ORIVE TU78-AF 
_SYSTEM INDUSTRIES | TAPE DRIVE 9700-53 
DUGTTAL CRT W/KEYBOARD VT 220 
OUGITAL CRT M/KEVBOARD VT 102 | 
DIGITAL ERT W/KEYBOARD VT L902 
Figure 4A. System Hardware Continued 
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Figure 5. System Configuration 
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c. The system has two classes of machine instructions. One 
class is for the exclusive use of the Operating System. The 
other class is usable by both the Operating System and 


approved applications programs. 


d. A time-of-day clock is utilized for the recording of system 
activity, particularly the creation of printed output. 


E. SYSTEM SOFTWARE 


1. The operating system utilized by both nodes of the Phase I con- 
figuration is an unmodified VAX/VMS Release 4.4. 


2. The VAX/VMS Operating System: 


a. Supports all VAX computers, working reliably and efficiently 


in both time-sharing and production environments. 
b. On erroneous input, the user receives a message. 
c. On a power failure, the system shuts down automatically. 


d. Provides privilege, protection, and quota mechanisms to limit 
user access to system-controlled structures in physical 
memory, system-structured files and volumes, and certain 


devices. 


e. Maintains user accounts in a user authorization file which 


constitutes the basis for privilege and quota assignments. 


f. Includes a break-in detection which allows terminals to be 


disabled when a break-in attempt is detected. 
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g. Utilizes a user identification code (UIC), on which the pro- | 


tection mechanism is based. 
h. Has scavenge protection, provided in three forms: 


(1) File high-water marking which prevents users from read- 


ing beyond the end of a file mark. 


(2) Erase on delete which insures that information in a file 


is zeroed before being returned to general use. 


(3) Erase on extend which prevents a user from reading in- 
formation that may have been previously allocated to 


another file. 
F. SYSTEM ACCESS CONTROLS 


1. Each node in the Phase I configuration operates from a common 
system disk to ensure that the account and access control privi- 
leges do not differ from node to node. This common Access Con- 
trol List (ACL), User Authorization File (UAF), Rightslist File 
performs a function similar to the capability of the ACF2 secur- 


ity package. 


2. Prior to being allowed access to the Phase I network, each user 
is identified as Customer-approved and possessing an established 


need-to-know for data associated with the network. 


3. System logon passwords are individual user unique pronounceable 
identifiers no less than 6 characters and no longer than 8 char- 


acters in length. 
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4. System logon passwords are randomly selected frou a Customer-— 
supplied listing of.acceptable system logon passwords. The list- 
ing, and the assigned system logon passwords are controlled by 
the Facility Security Representative (FSR) and one alternate 


individual specifically designated by the FSR. 


5. Knowledge of the system logon passwords is restricted to the 


individual system user, the FSR, and the designated alternate to 


the FSR. 
6. System logon passwords are changed every six (6) months. 


7. Appropriate system logon passwords will be changed whenever an 
actual or suspected system compromise occurs, or whenever a sys- 


tem user leaves the project. 


8. The number of system logon password entry failures allowed a sys- 
tem user attempting to access any AIPRL system is limited to 
three (3). A user who exceeds this limitation is automatically 
denied access to the system and his/her access must be reacti- 


vated by the FSR. 


G. DATA AND PROGRAM STORAGE MEDIA 
All data and program storage media are assigned a document control 
number by the Document Control Office (D0), and are labeled, han- 
died, and stored at the highest security classification level of the 
information ever recorded on them. Any requested exception shall be 
approved, in writing, by the Customer's Information Systems Security 


Officer (ISSO). 
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1. Identification/Labeling: 
This activity is performed only by specifically designated per- 


sonnel in cooperation with the FSR and in accordance with appli- 


cable Customer directives. 


a. Magnetic tapes, disk packs, floppy disks, and cassettes are 
affixed with a label to indicate clearly the highest security 
classification level and SCI control channel(s) of the infor- 
mation ever contained on them, together with the appropriate 


document control number. 


b. Card decks and program listings are manually labeled in 
accordance with applicable Customer directives to indicate 
clearly the highest security classification level and SCI 
control channels(s) of the information contained on then, » 


together with the appropriate document control number. 


2. Transportation: 


Whenever removable magnetic data and program storage media, card 
decks, or program listings are required to be taken outside the 
SCIF, at least two Customer-approved individuals accompany the 


material. A receipting method is used to ensure that accounta- 


bility is maintained. 


3. Accountability: 


Specific Customer—approved individuals are designated, and read- 
ily identifiable on an access list maintained by the FSR, to 
receipt for all classified removable data and program storage 
media, card decks, and program listings. All classified media 
are accounted for using an accountability system approved by the 


Customer. 
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4. Sanitization Procedures: 


The following sanitization procedures are used: 
a. Regular Magnetic Tapes: 


(1) Regular ‘magnetic tapes (i.e., magnetic tapes having a 
coercivity of 325 oersteds or less) are degaussed using 

a Customer-approved Bell and Howell, Model TD~-290343, 
Magnetic tape degausser; the label identifying the high- 

est security classification and SCI control channel(s) 


of the information ever recorded on them is not removed. 


(2) When magnetic tapes become unusable, they are destroyed 
by the FSR in accordance with applicable Customer direc- 
tives and Customer-approved procedures. Receipts and 


logs of this activity are maintained in the DCO. 


b. Fixed Disk Units: 
Fixed disk units are sanitized using a Customer-approved, 
overwrite routine only after receiving written approval from 
the ADPSSR and assurance that this approval has been coor- 
dinated with the Customer's ISSO. If one of these units 
becomes no longer usable, the platters will -be removed and 
destroyed in accordance with applicable Customer directives 


and specific instructions received from the Customer's ISSO. 


c. Floppy Disks: 
Floppy disks are not sanitized. When these storage devices 
become unusable, they are destroyed in accordance with appli- 


cable Customer directives. 
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d. Internal Memory: 
Each network CPU employs semiconductor volatile internal 


memory. The power OFF procedure is used for sanitization. 


H. AUDIT TRAILS 
The audit trail records implemented utilize both automated and manual 


techniques. 


1. Automated Audit Trail: 
The automated records made available by both the VAX 11/785 and 
the VAX 8600 are fully utilized. The DEC Net Log provides date 
and total access times by User ID; and it records successful and 
unsuccessful attempts to SET HOST and access host and node data 
files. The ACL Log records successful and unsuccessful attempts 
to access host and node data sets, and the Operator Communica- 
tions Log records all other user activity and provides the 
security-related alarms described in Paragraphs IV.D and IV.E, 


above. 


These automated records are printed and reviewed daily by the 
Computer Facility Security Officer (CFSO), and maintained for one 
(1) year. Any irregularities are brought to the attention of the 
Facility Security Representative and the ADPSSR. 


2. Manual Audit Trail: 


a. Visitors Log: Used to record each visitor's name, date, and 
time of visit, and the name of the visitor's escort for the 


area. 
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b. Open/Close Log (Figure 6): Used to identify individuals who 
close/open the computing facility by date and time. 


c. Computer Center Security Checklist (Figure 7): Used to 
identify and verify all procedures required for system 


start-up, processing, and shut-down operations. 


d. Hardware Maintenance Log: Used to identify and maintain com 
puter system hardware changes, identify maintenance problems, 
identify individual performing maintenance operations, iden- 
tify assigned escort, identify exactly what maintenance is 


performed, and assess potential security impacts. 


e. Software Gonfiguration Control Log (Figure 8): Used to 
identify all software available to the system. 


f. Transportation Receipt (Figure 9): Used to provide tracea- 
bility for material being transmitted from one approved area 


to another approved area in accordance with Customer require- 


ments. 


g. Document Transaction Card (Figure 10): Used to record 
receipt, accountability, and destruction of all accountable 


‘material in accordance with Customer requirements. 


I. DOCUMENTATION 
Designated systems personnel possess/maintain a complete set of 
systems, operations, user, and program documentation in Room 1-11-12. 
This information is available for use by any individual who is 


customer-approved for unescorted access to the network. 
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SECURITY CONTAINER RECORD SHEET 


Container No. Location : Ares Plant 
j CHECKER QuaRD floor-bide rine : THe CHECKER GuarD 





sy TIME BY TIME BY DATE OfFENEN RY CUNSEN BY TIME BY TIM: #Y 


| WEIS E1690 
HET 6C740CCOI) BeA"7iS7e7Cl1T 14 
GOEC7 AICI CCo Be {eI e7IE40CL TT 
OCCA Ciclo) Bee e{e7cl rr 
CARI CA7L10CC0I Bescrzesne7clrT4 
PCAC] CA462Clri) BE8e7AbsaciCl TT 
MEAG TIEICLETI) Be WIC F7e 7corT 
DCT $A CAE1Clo) BE 7ec7Ie3ClCLT 
HDCT CA7EsCL) S77 e7Ic3C TT) 
BAHAI C7AceICllO SBE7IR I E7E37ClrLy 
HCCI CaeICoCII Ae7ICI7e7e7Cr rT) 
i 2 De 9 | as | es et | | | ee 
BC] b3;C3HICWI) S67 7e7e7ClrT4 
BARI CAGCIClLLT) Be 7e7e7e1CC rT) 
BET CICA7CICLI 1 PEs FIe7e)1CL TI 
at aS), aeicarine cae 





Figure 6. Open/Close Log 
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CHECKLIST FOR PREPARATION, PROCESSING, AND TERMINATION OF PROCESSING OF &*&47S4 INFORMATION 





Tine Initfals / 





Vreparat fon: Date 





1) Nofity wsers that the aystem ts shucting down for classiffed pidceds tng: 
2) Clear all unauthocf{red personnel from the computer room/termtnal room, 
3) Shut che aystem down with the SHUTDOWN software roucine and HALT the CPU. 
4) Shut the CPU off and leave off for five (5) minutes, MINIMUM. 
5S) Remove the system disk from the drive and secure. 
6) Remove the boot floppy from the drive and secure. 
7) Spin down, 
write protect, 


disable port select button’ and 


remove unit number plug from the additional -drive(s) that are not to be 
used during the classified processing period. 


8) Disconnect cluster commnication cables at the back of the CPU cabinet (CAREFULLY!!). 
9) Disconnect remote 1/0 devices at the patch panel. 

10) Disconnect all local I/O devices at the device. 

11) Disconnect the CPU from the Ethernet at the cpu. 

12) Insert &*&&Z$& boot-up floppy. 

13) Insert &*&&Z$& user/system disk. 


14) Boot the system at the console. 





Processing: Date Time — / Initials / 
15) Monitor system access at console. 
16) If a security-related, abnormal processing operation occurrs involving any 
storage media, stop processing and contact Tom Daniels, extension 32328. 
17) If processing is to continue, reboot the system at the console. 


18) Log all security-related abnorwal system operations/security violations 
and report them to Tom Daniels, extension 32328. 


19) In an emergency, secure the doors as you leave and activate the alarus. If 


time permits, secure demountable data and program storage media. Contact 
Tom Daniels, extension 32328, as soon as practical. 
Termination: Date Time ; Initials / 


20) Dump all accountability/activity files to demountable storage media. 
21) Shut the system down with the SHUTDOWN software routine and HALT the CPU. 
22) Remove the &*&&Z$& user/system disk from the drive. 


23) Remove the &*&&Z$& boot floppy from the drive. 
24) Shot the system off and leave off for five (5) minutes, MINIMUM. 


25) Shuc printer(s) used during processing period off and leave off for five (5) 
minuces, MINIMUM. * 


26) Return &*64%$6 disk to the designated custod fan. 


27) Vlace all classified waste, notes, Listings, working papers, and printer 
cibbous requiring destructton fa che spectal bucn contatner. 


28) Recura system to aormal opecat toa, 


Figure 7. Computer Center Security Checklist 
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SOFTWARE 


VAX _E1/785 —- I0S AREA 

















‘Manufacturer Description 
(b)(1) 
| (b)(3) 
1ssco DISSPLA Graphics V10.0 | 
{ 
International Math & IMSL Library 
Statistics Library, Inc. 
Gould/DeAnza LIPS Digital Image Processing Software V1.0 
| 
17s : System 570 Image Processing Software 
Raster Technologies ONE/80 Software Lib. 
CSPI (Array Porcessor) SNAP II Software, Extended Arithmatic [ 
Function Library V3.0 
Penn State Univ. Mini-tab Software 
(b)(1) 
(b)(3) 





Aptec Staple - Driver Software | 
i) 


Numerix (MARS 425) -,, Arex -— Avid (Fortran Devel. Sys.) i 


Figure 8. Software Configuration Log 
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| | No118002 


Materials Received: : 
rom Crennetsnumoen Gation) ete 
Description of Contents: 
0 Class. 
Transmitta! Authorized By: D unct. 
Gignature (ate) 
Description of Package, Envelope, Etc.: : 
From: ee mp ‘TO: ere se, FOR 
Signature Receipt(s) and Date(s): - 
£)) 4). 
2 5) 
3) 6)_- 
RE 3157 B74) LAST ENTRY SHOULD BE CROSS REFERENCED TO SUBSEQUENT CONTROL SYSTEM 


Figure 9. Transportation Receipt 
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cy ons. | Toc wo efenffcoeyf Po ene Po Pe oe 





OCR # 
[J riast issuance ‘ LJoestroyv * ([] transrer to procram Fre 
{_] curRRENT CUSTODIAN (ENTER BELOW) : [sew custooran (enter BeLow 
ROM a or LAST WARE Fist NAME ATIAL. 
USTODIAN'S RECORD : * 
RECD 
j SIGHATURE (ATE 
TLE LOCATION {SIGHATURE) ; D ) 
Be We pee a onto ne ee | 
INVENTORIED 
2 ee ee cae 
we ceretiey ries materian was 
nse A oe eee 
COMMITTED TO DESTRUCTION ON: 
2 a I ae ee STORE RITE 
PPPS EOP MURA HHU KHANNA RURAL VDNDKRUNBAARLCHAKMESEUAGNETIKSENUNAGERGOKHSURARNNNBRhANe AA, 


PaD/46H 


Figure 10. Document Transaction Card 
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STORAGE AREAS 
Storage of classified magnetic media (fixed disks, removeable disks, 


and tapes) is in Rooms 2-1-2 and 2-1-5, which are approved for open- 


shelf storage. Floppy diskettes, cassettes, hard copy output, and 
documents are stored in Customer-approved storage containers located 
through the AIPRL. Combinations for those containers are changed once 
a year or upon transfer/debriefing of an individual having knowledge 


of the combinations. 


COMMUNICATIONS LINKS 

Physical disconnects of I/0 devices or any direct memory access 
devices external to the network, but within the AIPRL facility, are 
provided by the use of switching devices. The ETHERNET capabil- 














ity provides node to node ‘communications and terminal communications 
within the network via COMSEC approved fiber optic links. There are 


no telecommunication capabilities in place or planned. 


EMANATIONS 

The AIPRL facility is constructed and approved per NSA-65-6 specifi- 
cations, and received TEMPEST certification from the Customer's com- 
munication security (COMSEC) authority via program B message 6835, 
dated 19 April 1980. 


SYSTEM OPERATIONS 


SYSTEM PREPARATION AND INITIALIZATION PROCEDURES 
Prior to processing classified information, the following actions are 


completed by systems support personnel. 
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1. All unauthorized personnel are cleared from the computing facility. 


2. Those I/O devices and direct access storage devices not to be used 
during processing operations are taken off-line. Only those ter- 
minals designated for use during processing operations remain 


connected. 


3. All demountable and program storage media not to be used during 
the scheduled processing are removed from the system and placed in 


approved storage containers. 


4. The CPU's internal memory is sanitized using the power OFF proce- 


dure. 


5. The dedicated version of the Operating System, including other 


attendant software, is loaded onto the system and the system is 


initialized for processing. 
B. DATA PROCESSING 


1. Security measures in effect during all processing periods are com- 
mensurate with the handling of material at the Top secret classi- 


fication level. 


2. During normal working hours, a minimum of two (2) security 
approved individuals. are present in the computing facility during 
classified processing. When unattended processing occurs during 
downtime, the computing area is secured and entry/egress is con- 
trolled by the monitoring of the alarms by guards stationed at the 


entrance to the SCIF. 
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3. Verification of terminal utilization, system user logon entries, 
and file access approvals of system users is performed by the 


system. 


4. If a security-related, abnormal processing operation occurs 
involving any storage media (i.e., system compromise, or data 
spillage), processing is stopped and the "ADP Systems Security 
Representative is contacted for determination of action to be 


taken. 


5. If processing is to continue, the dedicated version of the Operat— 


ing System is reloaded and the system reinitialized. 


6. All security-related abnormal system operations and security vio- 
lations are logged and reported.to the Contracting Officers Secur- 
ity Representative (COSR) and the Customer's ISSO via the ADP Sys- 


tems Security Representative. 


7. Should an act of nature or civil disturbance occur, or threaten to 
occur, the system operators will secure the doors and activate the 
alarms as they leave. If time permits, demountable data and stor- 
age media will be secured in approved storage containers. The ADP 
Systems Security Representative will be notified, and in turn will 


notify the Customer's ISSO, as soon as practical. 


C. OUTPUT CLASSIFICATION/HANDLING PROCEDURES 
Output produced during ‘classified processing is collected by the 
user(s). It is the user's responsibility to insure that all material 
is properly classified (i.e., labeled, assigned a control number). 


Any output not collected by the end of the day is collected by opera- 
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tions personnel, separated by user ID and secured in an approved stor- 
age container. If the user has not claimed the output within two 
days, it is destroyed in accordance with applicable customer direc- 


tives. 


D. MODE TERMINATION 


Upon completion of processing, the following actions are taken: 


1. All accountability/activity files are dumped to demountable stor- 


age media. 


2. <A Shut-down program initiated to remove all users and shut down 


the systen. 

3. Operators remove all demountable data and program storage media 
from the system used during the classified processing period, in- 
cluding the dedicated version of the Operation System. 

SYSTEM MAINTENANCE 
A. Uncleared maintenance representatives are monitored at all times by a 


Customer cleared individual who is technically knowledgeable of the sys- 


tem or component being maintained. 


B. All classified media are properly secured and the room/location of 


the maintenance activity is visually inspected prior to the visit. 


C. A visitor log is signed by the maintenance representative and by the 


project-assigned escort. prior to entering the SCIF. 
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D. Tool boxes and materials belonging to the maintenance representative 
are inspected by the assigned escort before being taken into the SCIF. 
Any communication devices and any magnetic media not required for the 
maintenance visit are retained at the guard desk at the entrance to the 


SCIF. 


E. All software/firmware required for maintenance of diagnostics are 
maintained within the AIPRL and stored and controlled as though classi- 
fied. Maintenance representatives are not allowed to remove any magnetic 


media from the AIPRL. 


F. Malfunctioning circuit boards having certified volatile memory may be 
released from the AIPRL for factory repair only after approval of the 
Customer's ISSO. 


G. Malfunctioning circuit boards having nonvolatile memory components 
may be released from the AIPRL for factory repair only after verification 
by the Customer's ISSO that all memory components are completely sani- 


tized. 


H. A maintenance log is maintained. Whenever maintenance personnel 


visit the AIPRL, the name of the individual, the name of the assigned 
escort, specific ‘maintenance performed, and the date and time are 


recorded in the log. 


I. Remote diagnostics are not utilized for maintenance purposes. 
Approval from the Customer's ISSO will be requested in advance should the 


use of remote diagnostic links come under consideration. 
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J. If required, a separate copy of the dedicated version of the appro- 


priate operating system is made available for maintenance activity. 


SECURITY EDUCATION 


All Eastman Kodak Company personnel who work in the secure area are pro- 
vided a security awareness briefing when assigned to the project and 
every year thereafter. Individual responsibilities are disseminated at 
these must-attend briefings given by the ADP Systems Security Represen- 
tative before access to any system within the AIPRL is granted. 
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